ApsaraVideo Live allows you to perform access control by using a Referer blacklist or whitelist, User-Agent blacklist or whitelist, and IP address blacklist or whitelist. This topic describes the access control feature of ApsaraVideo Live, the scenario in which you can use this feature, and how to configure this feature.

Overview

The access control feature allows you to configure access policies on the cloud to provide basic protection for video resources. The access control feature has a low learning curve and immediately takes effect. The feature requires only simple configuration on the cloud. No additional development is required. The regular access control policies include:

  • Referer blacklist or whitelist
  • User-Agent blacklist or whitelist
  • IP address blacklist or whitelist
Note You cannot configure a User-Agent blacklist or whitelist in the ApsaraVideo Live console due to cumbersome configuration and the risk of misoperation. If you need to configure a User-Agent blacklist or whitelist, submit a ticket to contact Alibaba Cloud technical support. For more information, see Contact us.

Scenarios

  • The access control feature requires only simple configuration, which makes the feature easy to use. The access control feature can provide basic protection, especially for access from web browsers.
  • Both Referer and User-Agent blacklists or whitelists are based on HTTP headers that are prone to forgery and have low security.
  • An IP address blacklist or whitelist hinders the distribution of content to a large number of consumers, and therefore is not suitable for large-scale content distribution.

Referer blacklist or whitelist

  • Overview
    • Referer is used to track and identify where requests come from based on the HTTP protocol. You can configure a Referer blacklist or whitelist to identify and filter users. This allows you to control access to video resources.
    • After a user sends a request to a CDN node, the node authenticates the user based on the preset Referer whitelist or blacklist. If the user passes the authentication, video data is returned. If the user fails the authentication, the request is denied and HTTP status code 403 is returned.
    • A Referer blacklist or whitelist is optional. By default, a Referer blacklist or whitelist is disabled.
    • After you configure a Referer blacklist or whitelist, wildcard domain names are supported. For example, if you enter example.com, the domain name that takes effect is *.example.com. The Referer blacklist or whitelist takes effect on all its subdomain names.
    • You can specify whether to allow requests that have an empty Referer header to access resources. If you allow the access, users can directly access resources by entering the resource URLs in the address box of a browser.
  • Configuration methods
  • Usage notes
    • The blacklist and whitelist are mutually exclusive and cannot be enabled at the same time.
    • Typically, mobile clients do not provide the Referer header. By default, access requests that have an empty Referer header are allowed. This allows mobile clients to access your resources. You can choose to deny access from requests that have an empty Referer header. If you want to allow access from mobile clients after you deny access from requests that have an empty Referer header, you can set the Referer header for mobile clients by using ApsaraVideo Player.
    • If you deny access from requests that have an empty Referer header, you must configure HTTPS secure acceleration and enable the forcible redirect from HTTP to HTTPS. Some browsers remove the Referer header from HTTPS requests that access HTTP resources. In this case, the access fails for these HTTPS requests.
  • Example

    You configure a Referer whitelist that includes example.com for the streaming domain demo.developer.aliyundoc.com and deny access from requests that have an empty Referer header.

    1. Request:
      curl -i 'http://demo.developer.aliyundoc.com/apptest/stream0000'
    2. Response:
      X-Tengine-Error:denied by Referer ACL
    3. A success response is returned for the following request that contains an allowed Referer:
      curl -i 'http://demo.developer.aliyundoc.com/apptest/stream0000' \
      -H 'Referer: http://www.example.com' 

User-Agent blacklist or whitelist

  • Overview

    User-Agent is a special string header. It helps the server identify the operating system type and version, CPU type, browser type and version, browser rendering engine, language, and plug-in that are used by users. You can configure a User-Agent blacklist or whitelist to control access from specific browsers or devices.

  • Configuration methods

    submit a ticket to contact Alibaba Cloud technical support. For more information, see Contact us.

  • Example
    • User-Agent header for Internet Explorer 9.0 on a PC:
      User-Agent:Mozilla/5.0(compatible;MSIE9.0;WindowsNT6.1;Trident/5.0;
    • Simulate the following HTTP request for verification:
      curl -i 'http://demo.developer.aliyundoc.com/apptest/stream0000' \
      -H 'User-Agent: iPhone OS;MI 5'

IP address blacklist or whitelist

  • Overview

    ApsaraVideo Live allows you to configure an IP address blacklist or whitelist to deny or allow only access from specific IP addresses.

    • If an IP address blacklist is configured, the IP addresses in the blacklist are not allowed to access the current accelerated domain name.
    • If an IP address whitelist is configured, only IP addresses in the whitelist can access the current accelerated domain name.
    • You can add a list of IP addresses or a CIDR block.

      For example, you can add 127.0.0.0/24 to the IP address blacklist or whitelist. 24 indicates that the first 24 bits are the mask to represent the part of the network portion of the address. The remaining 8 bits are host bits. The subnet can accommodate 254 hosts. Therefore, the IP addresses are 127.0.0.0 to 127.0.0.254.

  • Configuration methods